LockBitSupp, the individual(s) behind the persona representing the LockBit ransomware service on cybercrime forums such as Exploit and XSS, “has engaged with law enforcement,” authorities said.

The development comes following the takedown of the prolific ransomware-as-a-service (RaaS) operation as part of a coordinated international operation codenamed Cronos. Over 14,000 rogue accounts on third-party services like Mega, Protonmail, and Tutanota used by the criminals have been shuttered.

“We know who he is. We know where he lives. We know how much he is worth. LockbitSupp has engaged with law enforcement,” according to a message posted on the now-seized (and offline) dark web data leak site.

The move has been interpreted by long-term watchers of LockBit as an attempt to create suspicion and sow the seeds of distrust among affiliates, ultimately undermining trust in the group within the cybercrime ecosystem.

According to research published by Analyst1 in August 2023, there is evidence to suggest that at least three different people have operated the “LockBit” and “LockBitSupp” accounts, one of them being the gang’s leader itself.

However, speaking to malware research group VX-Underground, LockBit stated “they did not believe law enforcement know his/her/their identities.” They also raised the bounty it offered to anyone who could message them their real names to $20 million. It’s worth noting that the reward was increased from $1 million USD to $10 million late last month.

LockBit – also called Gold Mystic and Water Selkie – has had several iterations since its inception in September 2019, namely LockBit Red, LockBit Black, and LockBit Green, with the cybercrime syndicate also secretly developing a new version called LockBit-NG-Dev prior to its infrastructure being dismantled.

“LockBit-NG-Dev is now written in .NET and compiled using CoreRT,” Trend Micro said. “When deployed alongside the .NET environment, this allows the code to be more platform-agnostic. It removed the self-propagating capabilities and the ability to print ransom notes via the user’s printers.”

One of the notable additions is the inclusion of a validity period, which continues its operation only if the current date is within a specific date range, suggesting attempts on the part of the developers to prevent the reuse of the malware as well as resist automated analysis.

Work on the next generation variant is said to have been spurred by a number of logistical, technical, and reputational problems, prominently driven by the leak of the ransomware builder by a disgruntled developer in September 2022 and also misgivings that one of its administrators may have been replaced by government agents.

It also didn’t help that the LockBit-managed accounts were banned from Exploit and XSS towards the end of January 2024 for failing to pay an initial access broker who provided them with access.

“The actor came across as someone who was ‘too big to fail’ and even showed disdain to the arbitrator who would make the decision on the outcome of the claim,” Trend Micro said. “This discourse demonstrated that LockBitSupp is likely using their reputation to carry more weight when negotiating payment for access or the share of ransom payouts with affiliates.”

PRODAFT, in its own analysis of the LockBit operation, said it identified over 28 affiliates, some of whom share ties with other Russian e-crime groups like Evil Corp, FIN7, and Wizard Spider (aka TrickBot).

These connections are also evidenced by the fact that the gang operated as a “nesting doll” with three distinct layers, giving an outward perception of an established RaaS scheme compromising dozens of affiliates while stealthily borrowing highly skilled pen testers from other ransomware groups by forging personal alliances.

The smokescreen materialized in the form of what’s called a Ghost Group model, according to RedSense researchers Yelisey Bohuslavskiy and Marley Smith, with LockBitSupp serving “as a mere distraction for actual operations.”

“A Ghost Group is a group that has very high capabilities but transfers them to another brand by allowing the other group to outsource operations to them,” they said. “The clearest version of this is Zeon, who has been outsourcing their skills to LockBit and Akira.”

The group is estimated to have made more than $120 million in illicit profits in its multi-year run, emerging as the most active ransomware actor in history.

“Given that confirmed attacks by LockBit over their four years in operation total well over 2,000, this suggests that their impact globally is in the region of multi-billions of dollars,” the U.K. National Crime Agency (NCA) said.

Needless to say, Operation Cronos has likely caused irreparable damage to the criminal outfit’s ability to continue with ransomware activities, at least under its current brand.

“The rebuilding of the infrastructure is very unlikely; LockBit’s leadership is very technically incapable,” RedSense said. “People to whom they delegated their infrastructural development have long left LockBit, as seen by the primitivism of their infra.”

“[Initial access brokers], which were the main source of LockBit’s venture, will not trust their access to a group after a takedown, as they want their access to be turned into cash.”

Dec 21, 2023NewsroomDark Web / Cybercrime

German law enforcement has announced the disruption of a dark web platform called Kingdom Market that specialized in the sales of narcotics and malware to “tens of thousands of users.”

The exercise, which involved collaboration from authorities from the U.S., Switzerland, Moldova, and Ukraine, began on December 16, 2023, the Federal Criminal Police Office (BKA) said.

Kingdom Market is said to have been accessible over the TOR and Invisible Internet Project (I2P) anonymization networks since at least March 2021, trafficking in illegal narcotics as well as advertising malware, criminal services, and forged documents.

As many as 42,000 products have been sold via several hundred seller accounts on the English language platform prior to its takedown, with 3,600 of them originating from Germany.

Transactions on the Kingdom Market were facilitated through cryptocurrency payments in the form of Bitcoin, Litecoin, Monero, and Zcash, with the website operators receiving a 3% commission for processing the sales of the illicit goods.

“The operators of ‘Kingdom Market’ are suspected of commercially operating a criminal trading platform on the Internet and of illicit trafficking in narcotics,” the BKA said, adding an investigation into the seized server infrastructure is ongoing.

In addition to the seizure, one person connected to the running of Kingdom Market has been charged in the U.S. with identity theft and money laundering. Alan Bill, who also goes by the aliases Vend0r and KingdomOfficial, has been described as a Slovakian national.

The development comes days after another coordinated law enforcement effort saw the dismantling of the BlackCat ransomware’s dark web infrastructure, prompting the group to respond to the seizure of its data leak site by wresting control of the page, claiming they had “unseized” it.